Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Create Internet Only Guest Access on my LAN

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 471 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mayall
      last edited by

      I have a simple network and would like to restrict guest access to the internet only while allowing all other devices unrestricted access.

      The basic net:

      Internet <--> modem/router <--> LAN

      I have a distant area with a single ethernet cable running to it. A switch connected to the cable has:

      • WiFi hub for "Guests". <<<< This is what I want to restrict to internet only
      • Two other devices that need full LAN and Internet access

      I do not have physical security for the devices so someone could see what devices are connected (along with their MAC on a label). Someone could easily plug into the switch or WiFi router.

      I'm pretty sure that putting a pfSense device between the LAN and the guest switch is the way to go:

      Internet <--> modem/router <--> LAN <--> pfSense <--> guest switch

      But I'm not sure it would work and there seems to be more than one way to do it.

      Bottom line for devices connected to the guest switch:

      1. Any traffic coming from the guest WiFi should only go to the Internet with no access to devices on the LAN (other than, I assume, the modem/router).

      2. Any traffic from just the two other devices should have full access.

      3. Any other device should be blocked.

      Can a pfSense device like an SG-1100 do this? How?

      Thanks!

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @mayall
        last edited by

        @mayall

        The WiFi part is easy enough, just use a VLAN and 2nd SSID. However, if someone has physical access to the network, there's not much pfSense can do, other than perhaps mapping IP to MAC address and not allowing any other addresses via DHCP. However, that wouldn't stop someone from manually configuring an address.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        M 1 Reply Last reply Reply Quote 0
        • M
          mayall @JKnott
          last edited by

          @JKnott Thanks!

          Using the SG-1100 I'd create the VLAN for only the guest WiFi router, correct?

          It sounds like I could make the rest of the net that is connected to the guest switch somewhat more protected but someone could hack it with the correct tools. That would probably be enough to keep out the casual hacker and probably good enough.

          1 Reply Last reply Reply Quote 0
          • A
            akuma1x
            last edited by

            When you say "Two other devices that need full LAN and Internet access", are these wifi devices, or are they wired devices with cables plugged into your distant network switch?

            Jeff

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.